Chp 4 IAM

Question 1

FRR

Answer 1

False Rejection Rate (FRR)
The rate at which a legitimate user is incorrectly rejected by the system.

Question 2

FAR

Answer 2

False Acceptance Rate (FAR)
The rate at which an unauthorized user is incorrectly accepted by the system.

Question 3

CER

Answer 3

Crossover Error Rate (CER)
The point at which the rates of FRR and FAR are equal.

Question 4

FER

Answer 4

Failure to Enroll Rate (FER)
Failure to Enroll Rate (FER) refers to the percentage of instances where the system fails to create a template for a user during the enrollment process. This template is necessary for subsequent authentication attempts.

Question 5

FIDO

Answer 5

Fast Identity Online (FIDO)
is an open authentication standard that strengthens and simplifies two-factor authentication (2FA) by using specialized hardware devices.

Question 6

hard authentication token

Answer 6

also known as a hardware token, is a physical device used to authenticate a user’s identity. These tokens provide an additional layer of security by requiring something the user possesses in addition to something they know (e.g., a password).

Question 7

soft authentication token

Answer 7

also known as a software token, is a digital form of an authentication token that is typically implemented as an application or software on a user’s device (e.g., smartphone, tablet, or computer). Soft tokens provide a convenient way to implement two-factor authentication (2FA) without the need for physical hardware.

Question 8

Attestation

Answer 8

the process of verifying the authenticity and integrity of a device or system.
Think “Trusted Platform Module computer chip to prove root of trust”

Question 9

DAC

Answer 9

Discretionary Access Control (DAC) is a type of access control model where the owner of the resource (such as files or data) has the authority to determine who can access it. The owner decides which users are granted access to specific resources and what operations they can perform.
“It is also the easiest to compromise, as it is vulnerable to insider threats and abuse of compromised accounts.”

Question 10

MAC

Answer 10

Mandatory access control (MAC) is based on security clearance levels. For example, a user with Top Secret clearance could read data with Top Secret, Secret, and Confidential classification labels. A user with Secret clearance could access Secret and Confidential levels only.

Question 11

ABAC

Answer 11

Attribute-Based Access Control (ABAC)
access control model that makes decisions based on attributes of the user (subject),
User Attributes: Information about the user, such as role, department, clearance level, or location.

Question 12

RBAC

Answer 12

Role-based access control (RBAC) means that an organization defines its permission requirements in terms of the tasks that an employee or service must be able to perform.

Question 13

SID

Answer 13

A user account is defined by a unique security identifier (SID) in Windows

Question 14

GPOs

Answer 14

Group Policy Objects (GPOs) are a set of rules and configurations in Microsoft Windows environments used to manage and configure operating systems, applications, and user settings within an Active Directory (AD) infrastructure.

Question 15

PAM

Answer 15

Privileged access management (PAM) refers to policies, procedures, and technical controls to prevent compromise of privileged accounts.

Question 16

SAW

Answer 16

secure administrative workstation (SAW) is a computer with a very low attack surface running the minimum possible apps.

Question 17

JIT

Answer 17

Just-in-Time (JIT) Permissions is a security approach where elevated privileges for accounts are granted only when needed and for a limited time, rather than being assigned permanently at login.

Question 18

ZSP

Answer 18

Zero Standing Privileges (ZSP) is a security approach where no user or account has permanent elevated privileges. Instead, elevated access rights are granted only when needed and are revoked immediately after the task is completed.

Question 19

LSASS

Answer 19

Local Security Authority Subsystem Service (LSASS) is a critical Windows operating system process responsible for enforcing the security policy on the system. It handles various security-related tasks such as user authentication, password changes, and creation of access tokens.

Question 20

SAM

Answer 20

Security Accounts Manager (SAM) is a database in Windows operating systems that stores user accounts and security descriptors for users on the local computer.

Question 21

NTLM

Answer 21

NT LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users.

Question 22

LDAP

Answer 22

Lightweight Directory Access Protocol (LDAP) is a protocol used to access and manage directory information over a network. It is commonly used to authenticate and authorize users and manage user credentials in directory services.

Question 23

KDC

Answer 23

A Key Distribution Center (KDC) is a crucial component of the Kerberos authentication protocol. It is responsible for securely distributing cryptographic keys and authenticating users and services within a network.

Question 24

TGT

Answer 24

A Ticket Granting Ticket (TGT) is a special ticket issued by the Key Distribution Center (KDC) in the Kerberos authentication protocol. It allows users to obtain service tickets for accessing various services within a network without needing to repeatedly enter their credentials.

Question 25

TGS

Answer 25

The Ticket Granting Service (TGS) is a component of the Key Distribution Center (KDC) in the Kerberos authentication protocol. It issues service tickets that allow clients to access specific services within the network.

Question 26

TGS session key

Answer 26

—communicates between the client and the Ticket Granting Service (TGS). This is encrypted using a hash of the user’s password.

Question 27

Federation

Answer 27

Federation refers to a system where different organizations or networks trust each other’s authentication mechanisms. This allows users from one network (such as partners, suppliers, or customers) to access resources on another network without needing a separate set of credentials.

Question 28

IdP

Answer 28

identity provider (IdP) In a federated network, the service that holds the user account and performs authentication.

Question 29

SAML

Answer 29

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties

Question 30

SOAP

Answer 30

Simple Object Access Protocol (SOAP) is a protocol for exchanging structured information in the implementation of web services.

Question 31

REST

Answer 31

Many public clouds use application programming interfaces (APIs) based on Representational State Transfer (REST) rather than SOAP. A standardized, stateless architectural style used by web applications for communication and integration.

Question 32

OAuth

Answer 32

the Open Authorization (OAuth) protocol. OAuth is designed to facilitate sharing of information (resources) within a user profile between sites. Used for REST

Question 33

JWT

Answer 33

JSON Web Token (JWT) is used in OAuth for securely transmitting information, it is digitally signed. JWTs are commonly used for authentication and authorization in web applications.

Question 34

A company using Windows Server technology needs to link its Active Directory to a third-party service to allow single sign-on. Which service that uses the standard X.500 would work for the company?

A.Virtual Private Network
B.Lightweight Directory Access Protocol
C.Application Programming Interface
D.Local Security Authority Subsystem Service

Answer 34

B
Lightweight Directory Access Protocol (LDAP) is a protocol companies use for accessing network directory databases. LDAP stores information about authorized users, their privileges, and other organizational information.

Question 35

A company wants to set up single sign-on (SSO) without passing credentials through to each piece of software and cloud service. Which protocol would meet this requirement?

A.Kerberos
B.Fast IDentity Online
C.Virtual Private Network
D.Open Authorization

Answer 35

D
The Open Authorization (OAuth) protocol is a system that facilitates the sharing of information (resources) within a user profile between sites. OAuth can be used to implement SSO by allowing users to log in once and access multiple applications without passing credentials through to each piece of software. OAuth can be integrated with other mechanisms to provide SSO capabilities and also supports OpenID Connect (OIDC) tokens to enhance identity verification when needed.

Question 36

During a recent audit, a company noticed a troubling trend where people had their passwords on sticky notes in their work area. The employees stated that the password policy made it too difficult to remember them. Which policy should the company change to alleviate this issue?

A.Password complexity
B.Password reuse
C.Password history
D.Password management

Answer 36

A
Modifying the password complexity policy to allow for longer but easily remembered passwords can aid in lowering the number of people saving their passwords insecurely.

Question 37

An engineering firm wants to implement an authentication design that uses a framework for passwordless authentication. What statement is not accurate regarding passwordless authentication?

A.The user chooses either a roaming authenticator, such as a security key, or a platform authenticator implemented by the device OS.
B.The relying party uses a private key to verify the signature and authenticate the account session.
C.The user registers with a web application or service, referred to as a relying party.
D.When presented with an authentication challenge, the user performs the local gesture to unlock the private key.

Answer 37

B
To the contrary, part of the passwordless authentication framework involves the relying party to use the public key, not private, to verify the signature and authenticate the account session.

Question 38

A manufacturing company recently bought out another similar company. They need to link each company’s directory systems together to access their resources without merging the two. How can they link the two directory systems together?

A.Site-to-site VPN
B.Migration
C.Federation
D.Location-based restrictions

Answer 38

C
Federation directories allow two different subsets of accounts to work together for permissions and access.